On Mon, Mar 13, 2006 at 12:25:13AM +0100, Martin Schulze wrote:
> An algorithm weakness has been discovered in Apache2::Request, the
> generic request library for Apache2 which can be exploited remotely
> and cause a denial of service via CPU consumption.
Looks like the backport was incomplete, unfortunately; it breaks file uploads
(see #358689). I've made a fix (attached) which seems to fix the problem for
me; Gunnar, could you please test it on your side too?
/* Steinar */
--
Homepage: http://www.sesse.net/
diff -ur libapreq2-perl-2.04-dev/debian/changelog
libapreq2-perl-2.04-dev-fixupload/debian/changelog
--- libapreq2-perl-2.04-dev/debian/changelog 2006-03-31 16:48:01.000000000
+0200
+++ libapreq2-perl-2.04-dev-fixupload/debian/changelog 2006-03-31
16:49:58.000000000 +0200
@@ -1,3 +1,10 @@
+libapreq2-perl (2.04-dev-1sarge2) stable-security; urgency=low
+
+ * Fix incomplete backport from -1sarge1, breaking file uploads.
+ (Closes: #358689)
+
+ -- Steinar H. Gunderson <[EMAIL PROTECTED]> Fri, 31 Mar 2006 16:48:30 +0200
+
libapreq2-perl (2.04-dev-1sarge1) stable-security; urgency=high
* [CVE-2006-0042] Eliminate potential quadratic behavior in
diff -ur libapreq2-perl-2.04-dev/src/apreq_parsers.c
libapreq2-perl-2.04-dev-fixupload/src/apreq_parsers.c
--- libapreq2-perl-2.04-dev/src/apreq_parsers.c 2006-03-31 16:48:01.000000000
+0200
+++ libapreq2-perl-2.04-dev-fixupload/src/apreq_parsers.c 2006-03-31
16:50:05.000000000 +0200
@@ -397,7 +397,6 @@
APREQ_DECLARE_PARSER(apreq_parse_headers)
{
apr_pool_t *pool = apreq_env_pool(env);
- apr_ssize_t nlen, glen, vlen;
apr_bucket *e;
struct hdr_ctx *ctx;
@@ -531,14 +530,14 @@
case '\t':
ctx->status = HDR_CONTINUE;
++off;
- vlen += 2;
+ ctx->vlen += 2;
break;
default:
/* can parse brigade now */
if (off > 0)
apr_bucket_split(e, off);
- s = split_header(t, ctx->bb, ctx->nlen, glen, vlen);
+ s = split_header(t, ctx->bb, ctx->nlen, ctx->glen,
ctx->vlen);
if (s != APR_SUCCESS) {
ctx->status = HDR_ERROR;
return s;
